IoT is about to explode, perhaps literally, if privacy and security issues aren't fixed.

Overexposure

To get an idea of how exposed IoT systems are to attack, all you need to do is perform a quick search on the Shodan search engine. A bit of poking around will reveal scores of security cameras, baby monitors, and other webcams (some configured with the flimsiest of security, some with none at all). You can also find control interfaces for medical devices, HVAC systems, city traffic management systems, and lots and lots of vulnerable home broadband routers. Just because they're visible on the naked Internet doesn't necessarily mean that they're easily hackable, but it does mean that once one device of a certain type is breached, attackers can quickly find others.

These devices do more than just talk to the Web. In some cases, Internet-connected embedded devices interact with other things in a way that can affect the physical world: spinning centrifuges a bit faster, unlocking and locking doors, turning up the heat, turning off brakes. Making devices visible to the Internet doesn't necessarily make them hackable in and of itself, but it certainly exposes any possible security gaps to a much larger audience of people willing to give it a shot. And some of these devices may already have well-known exploits that will give an attacker entry. That's because unlike most devices humans use, patching them is extremely complicated.

"On the one end of the spectrum, you have very low-end devices that don't really allow the vendor to provide long-term support for them," explained Raytheon's Daly. "If I sell a garage door opener and it connects to the Internet, it's highly unlikely I'm going to get firmware upgrades. There's no incentive to the manufacturer to provide me free things forever. The same is true with some smart wrist watches and [consumer] health monitors. So if you want to get patched properly, you're probably going to have to buy the next version. That means we're going to have lots of things floating around connected, even forgotten in your house, that can contribute to wider criminal activity."

For example, Daly said, some consumer appliances could be breached not to steal information about their owners. Instead, would-be hackers would use the devices in spam campaigns or distributed denial of service attacks—something that has already happened with home routers.

At the other end of the spectrum in the industrial sector, however, patching might happen even less frequently. Industrial companies "have a different way of dealing with obsolescence management," said National Instrument's Starkloff. "One of the biggest differences from consumer IT is the upgrade cycle. We have one customer monitoring HVAC systems chilling a data center, and these industrial chillers last a long time—some are 80 years old. But the technology for monitoring has a much faster upgrade cycle. How do you build an architecture for things like that that's enabled for upgradability? These industries aren't used to that. They might have a maintenance schedule but not an upgrade schedule."

In addition, Daly said some of these systems are "tied to things that just can't be disrupted. There's no such thing as 'let's throw up a patch and see if the power grid stays up.' You can't just patch them every Tuesday of the month."

Back to the future

It's already been demonstrated that these sorts of industrial IoT systems can pose a financial threat to companies and consumers: the Target data breach was made possible by targeting the remote control virtual private network connections used by a heating and cooling provider to monitor and control HVAC systems at Target's stores. But the "cyberphysical" impact of attacks on IoT systems tied to traffic management and other mundane government and company services could be much more expensive.

"How much disruption could you cause society by messing with traffic lights?" asked Daly. "If we're in the middle of an emergency, suddenly the traffic is all backed up and the water trucks can't deliver into the neighborhoods... you could imagine supply chain disruption on a massive scale if these systems are not well architected."

Considering these are problems that are still being addressed in the personal computing world more than 20 years after the birth of the Web, it's unlikely they'll all be solved any time soon. But the future of IoT technology depends on how well device developers and service providers respond to those challenges.

The IoT future could also be shaped by how governments respond to popular concerns about their privacy. The recent response to security research on connected automobiles and the mixed reception that autonomous unmanned aircraft are getting are just the beginning. Throw in concerns about cloud computing and the upturning of "Safe Harbor" data agreements by the European Union's courts, and the roadmap for the IoT devices gets even more complicated.

But there is reason to believe that despite the obstacles, IoT devices will unleash a new wave of Internet-based services,in ways we can't foresee—much like the way the smartphone came along and changed the world of computing. Fjord's Curtis said that while wearable devices, for instance, "may not achieve quite the same trajectory and pace" of the smartphone's growth, he believes they'll be widely adopted in the next five years. "In all likelihood," he said, "developing markets like India will invent new and unforeseen uses for wearables that leapfrog smartphone functionality and usage habits in more mature markets in the same way as payment technology in Africa on the phone bypassed the desktop Web."

Share this story

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat